Draytek Vigor3900 Firmware vulnerabilities
48 known vulnerabilities affecting draytek/vigor3900_firmware.
Total CVEs
48
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
13
Severity breakdown
CRITICAL19HIGH29
Vulnerabilities
Page 2 of 3
CVE-2024-51245P3HIGHCVSS 8.8v1.5.1.32024-11-01
CVE-2024-51245 [HIGH] CWE-78 CVE-2024-51245: In DrayTek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In DrayTek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the rename_table function.
nvd
CVE-2024-51244P3HIGHCVSS 8.8v1.5.1.32024-11-01
CVE-2024-51244 [HIGH] CWE-78 CVE-2024-51244: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doIPSec function.
nvd
CVE-2024-51248P3HIGHCVSS 8.8v1.5.1.32024-11-01
CVE-2024-51248 [HIGH] CWE-78 CVE-2024-51248: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the modifyrow function.
nvd
CVE-2024-51247P3HIGHCVSS 8.8v1.5.1.32024-11-01
CVE-2024-51247 [HIGH] CWE-78 CVE-2024-51247: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPPo function.
nvd
CVE-2024-51299P3HIGHCVSS 8.8v1.5.1.32024-10-30
CVE-2024-51299 [HIGH] CWE-77 CVE-2024-51299: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the dumpSyslog function.
nvd
CVE-2024-51304P3HIGHCVSS 8.8v1.5.1.32024-10-30
CVE-2024-51304 [HIGH] CWE-77 CVE-2024-51304: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ldap_search_dn function.
nvd
CVE-2024-51301P3HIGHCVSS 8.8v1.5.1.32024-10-30
CVE-2024-51301 [HIGH] CWE-77 CVE-2024-51301: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function.
nvd
CVE-2024-51296P3HIGHCVSS 8.8v1.5.1.32024-10-30
CVE-2024-51296 [HIGH] CWE-77 CVE-2024-51296: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the pingtrace function.
nvd
CVE-2024-51300P3HIGHCVSS 8.8v1.5.1.32024-10-30
CVE-2024-51300 [HIGH] CWE-77 CVE-2024-51300: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_rrd function.
nvd
CVE-2024-48153P3CRITICALCVSS 9.8v1.5.1.32024-10-14
CVE-2024-48153 [CRITICAL] CWE-77 CVE-2024-48153: DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and ex
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_subconfig function.
nvd
CVE-2024-51260P3CRITICALCVSS 9.8v1.5.1.32024-10-31
CVE-2024-51260 [CRITICAL] CWE-77 CVE-2024-51260: DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and ex
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function.
nvd
CVE-2024-51259P3CRITICALCVSS 9.8v1.5.1.32024-10-31
CVE-2024-51259 [CRITICAL] CWE-77 CVE-2024-51259: DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and ex
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function.
nvd
CVE-2024-44845P3HIGHCVSS 8.8v1.5.1.62024-09-06
CVE-2024-44845 [HIGH] CWE-78 CVE-2024-44845: DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerabilit
DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the value parameter in the filter_string function.
nvd
CVE-2024-44844P3HIGHCVSS 8.8v1.5.1.62024-09-06
CVE-2024-44844 [HIGH] CWE-78 CVE-2024-44844: DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerabilit
DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the name parameter in the run_command function.
nvd
CVE-2024-51255P3CRITICALCVSS 9.8v1.5.1.32024-10-31
CVE-2024-51255 [CRITICAL] CWE-77 CVE-2024-51255: DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and ex
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function.
nvd
CVE-2024-51258P3HIGHCVSS 8.8v1.5.1.32024-10-30
CVE-2024-51258 [HIGH] CWE-77 CVE-2024-51258: DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and ex
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doSSLTunnel function.
nvd
CVE-2024-51257P3HIGHCVSS 8.8v1.5.1.32024-10-30
CVE-2024-51257 [HIGH] CWE-77 CVE-2024-51257: DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and ex
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doCertificate function.
nvd
CVE-2020-14473P3CRITICALCVSS 9.8fixed in 1.5.1.12020-06-24
CVE-2020-14473 [CRITICAL] CWE-787 CVE-2020-14473: Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and Vigor300B with firmware befor
Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1.1.
nvd
CVE-2024-45889P3HIGHCVSS 8.0v1.5.1.32024-11-04
CVE-2024-45889 [HIGH] CWE-78 CVE-2024-45889: DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulne
DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `commandTable.`
nvd
CVE-2024-45893P3HIGHCVSS 8.0v1.5.1.32024-11-04
CVE-2024-45893 [HIGH] CWE-78 CVE-2024-45893: DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulne
DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `setSWMOption.`
nvd